Compliance Online

POPI Act Compliance Training.
Done Right.

Simple. Flexible. Cost-effective.

Learn More

Who are we?

2 date on calendar

We have more than 21 years’ experience

graduation cap sign

We focus on legal compliance training

money sign

We have trained more than 120 000 trainees

lines

We have rolled out more than 200 000 training units

80 cell icon

We have more than 80 localised programmes

What do we offer?

We are a specialist provider of legal and regulatory compliance training solutions to private and public sector entities.

We assist with the design and development of customisable online training programmes and a range of awareness-raising tools.

We have developed technology that caters specifically for the intricacies of online compliance training. Our training platform is state-of-the-art; developed using the latest technology; and specifically designed to eliminate distractions.

Get In Touch

POPIA

Protection of Personal Information Act

The Protection of Personal Information Act (POPIA) sets conditions for how your business may process personal information. Our training programmes provide an overview of the rationale for and aims of POPIA.

POPIA has been signed into law and companies are advised to train their employees on the do’s and don’ts of processing personal information. Our training is specifically designed to ensure that institutions and information officers comply with their obligation to conduct internal awareness sessions.

Considering that POPIA covers the processing of employees’ and clients’ information, any breach of the act can have serious repercussions for your human resources department and your business.

Our training programmes demystify the concept of personal information and explain when and how your employees have to comply with POPIA.

Be prepared – contact us to assist you with a proactive approach to raising awareness of POPIA in your business.

Our programmes are CPD accredited.

On completion of our programmes, the trainees will be familiar with:

• POPIA and who must comply with it.
• The meaning of “personal information” in terms of POPIA.
• When information is “processed”.
• The rules they must comply with when processing
information.
• The practical steps your business needs to take to ensure
compliance with POPIA.
• The consequences of non-compliance.

Not sure where to start?

Get In touch

Training Overview

Number 1 emblem
What programmes do we offer?
We offer 4 fully customisable training programmes:

1. POPIA in a Nutshell
2. POPIA: General Awareness
3. POPIA for IT
4. POPIA with reference to the GDPR
number 2 emblem
How many trainees are required to purchase a programme?
Contact us for a training solution that best suits your needs.
Number 3 emblem
What topics do the programmes cover?
Our programmes cover a range of topics - from the basics around what personal information is, to what your compliance obligations are under POPIA.

Contact us for more information regarding our extensive learning outcomes.
Number 4 emblem
How long does it take to complete our programmes?
Our programme duration times range from 1 to 3 hours.
Number 5 emblem
What is the cost of our training?
Our pricing depends on the number of trainees you enrol.

Contact us for the best pricing solution for you or your company.
Number 6 emblem
Are our programmes accredited?
Our programmes are CPD accredited by the Compliance Institute of South Africa and the Financial Planning Institute of Southern Africa.

Compliance Online is also accredited with the Services SETA.
Get In touch

Clients

Brands we’ve worked with include:

Danone Logo
Afgri Logo
sappi logo
SEACOM logo
Media 24 logo
Tiger Brands logo
Pioneer Foods logo
Parmalat logo
nashua logo
Hulamin logo
Smarley logo
Henkel logo
L'oreal logo
Heinz logo
Kaap Agri logo
Egoli Gas logo
impala platinum logo
Defy logo
Business connection logo
Aveng Group logo
ARM logo
Air products logo
AECI logo
AfriSam logo
Adcock ingram logo

Questions

Frequently asked questions

Here’s a list of popular questions about POPIA. Contact us to enquire about how we can help your company comply.

number 1 emblem
What is POPIA and why is it important for companies in South Africa?
The Protection of Personal Information Act, or POPIA, is South Africa’s data privacy law. It sets the rules for how companies gather, use, and share people’s personal information. POPIA protects the right to privacy and builds trust in the digital world. Companies in South Africa must comply with POPIA.
number 2 emblem
What are the key principles and requirements of POPIA?
POPIA has eight core rules:
● Accountability
● Processing limitation
● Purpose specification
● Further processing limitation
● Information quality
● Openness
● Security safeguards
● Data subject participation

These rules govern how your business deals with personal information.
number 3 emblem
How does POPIA define "personal information"?
Personal information refers to any information that can be used to identify a living person or an existing business. This includes things like names, contact details, ID numbers, email addresses, and more.

Extra sensitive personal information, called special personal information, gets special protection under POPIA. Examples include religious beliefs, race, and political views.
number 4 emblem
What are the implications of non-compliance with POPIA?
Not complying with POPIA can have serious consequences, such as
● regulatory fines;
● claims for damages;
● reputational damage;
● loss of customer trust and loyalty;
● imprisonment or fines for individuals; and
● disruptions to company operations.
number 5 emblem
What steps should companies take to ensure compliance with POPIA?
To comply with POPIA, companies should
● appoint dedicated compliance leads;
● figure out how information flows through the business;
● review policies;
● get proper consent from customers;
● have valid reasons for using people's information, and more.
number 6 emblem
How can companies protect personal information and prevent data breaches?
To protect personal information, companies should
● classify data sensitivity;
● encrypt sensitive data and control access;
● train employees;
● have audit controls;
● install security tools like firewalls and anti-malware;

and much more.
number 7 emblem
What are the rights of individuals under POPIA?
People have the right
● to be notified about the collection of their personal information;
● to ask for access to and corrections of their personal information;
● to object to the processing of their personal information; and
● to make complaints to regulators, and be notified about serious data breaches.
number 8 emblem
What are the responsibilities of companies in handling and processing personal information?
Companies must
● appoint dedicated compliance leads;
● obtain proper consent from customers when required;
● have valid and lawful reasons for collecting and using personal information;
● gather information directly from the people concerned where possible; and
● only retain personal information as long as necessary for the original purpose.
number 9 emblem
What are the consequences of unauthorised access or disclosure of personal information?
Unlawfully accessing or disclosing someone's personal information can lead to legal penalties, lawsuits, criminal charges, business disruptions, damage to reputation, and loss of trade secrets and intellectual property.
number 10 emblem
How can companies obtain consent for collecting and using personal information?
Consent must be clearly stated, voluntary, specific and informed.

It means that requests for consent must be in plain language, the person must understand what they are giving consent to, and the consent must be actively given (such as by ticking a box).
number 11 emblem
What are the requirements for transferring personal information outside of South Africa?
POPIA only allows for the transfer of personal information outside of South Africa if the other country has adequate legal protection for personal information, or there are binding corporate rules or a binding agreement that provides the right protection.

It can also be transferred if the data subject consents to the transfer, or the transfer is necessary to fulfil a contract.
number 12 emblem
How can companies handle data subject access requests under POPIA?
To properly handle access requests, companies should
● designate a contact point for requests;
● verify individuals' identities before providing any information; and
● respond within 30 days where possible or communicate timelines for more complex requests.
number 13 emblem
What are the obligations of data protection officers or designated responsible parties?
Data protection officers and compliance leads must
● advise the business on privacy compliance;
● monitor compliance and conduct audits;
● handle people's requests to access or correct their personal information; and
● act as a contact point for regulators.
number 14 emblem
What are the considerations for data retention and data destruction under POPIA?
For retaining information, companies must only keep personal information as long as necessary for the original purpose, define clear retention periods in policies, regularly review and update retention schedules, and get consent for retaining information indefinitely.

A company must not destroy personal information it must retain, and it must destroy the information correctly and securely.
number 15 emblem
How should companies handle direct marketing activities under POPIA?
For direct marketing, companies must
● obtain explicit consent for marketing purposes;
● provide easy opt-out methods;
● register opt-outs to avoid contacting people again;
● only use the information for purposes that match what consent was given for;
● be careful not to overstep with contact frequency; and
● exercise caution when marketing to vulnerable groups.
number 16 emblem
What are the reporting and notification requirements for data breaches?
For data breaches, companies must
● notify regulators promptly about serious breaches;
● provide details of breaches to regulators;
● notify affected individuals directly in high-risk cases;
● give recommendations to mitigate harm to notified individuals;
● and keep internal records of all breaches that occur.
number 17 emblem
What are the steps for conducting privacy impact assessments?
A risk assessment must be done for every processing activity and involve these steps:
● identify the activity that must comply with POPIA;
● determine who in a company is involved in the activity;
● determine who is responsible for following the POPIA rules; and
● assess the difficulty of enforcing compliance; and
● rate the risk.
number 18 emblem
How can companies develop and implement a POPIA compliance programme?
To develop a POPIA compliance program, companies should:
● demonstrate commitment to POPIA compliance;
● do a risk assessment;
● put policies and procedures in place;
● train their employees;
● monitor and report on their POPIA responsibilities; and
● evaluate and improve their compliance programme.
number 19 emblem
What are the enforcement measures and penalties for non-compliance with POPIA?
POPIA gives the Information Regulator significant enforcement powers including conducting audits, issuing compliance notices, imposing large administrative fines, pursuing criminal prosecution, and taking civil action in courts.
number 20 emblem
What are the emerging trends and developments in POPIA compliance?
Key trends in privacy include
●privacy by design;
● ISO 27701 certifications;
● early privacy impact assessments;
● privacy tools and automation;
● improved cross-border data flows;
● revised cookie consent approaches;
● privacy-security alignment;
● regulator cooperation; and
● AI privacy in South Africa.
Get In touch

Gallery

What can you expect

Previous
Next

Testimonials

What do our clients say about us

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Ema SmithCEO | Company
Ema Smith
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Ema SmithCEO | Company
Ema Smith
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Ema SmithCEO | Company
Ema Smith
Previous
Next
Get In Touch

POPIA establishes guidelines for processing personal information. This programme offers an overview of the rules your employees must follow. On completion, trainees will understand:

* The relevance of POPIA and who must comply   

* The definition of “personal information” 

* When information is “processed” under POPIA  

* The rules for properly processing information

* Practical steps to ensure POPIA compliance

* Consequences of non-compliance   

POPIA sets conditions for processing personal information. This programme explains POPIA’s rationale and aims. With POPIA now law, train your employees on proper processing of personal information.  

Given POPIA covers employee and client information, breaches can impact your business. This programme demystifies “personal information” and explains when/how employees must comply

We offer bespoke pricing for all clients. We offer bulk ‘slot’ packages, where companies can purchase a bundle of slots upfront to distribute across our training programmes over a 12-month period.

The more slots purchased, the larger the discount. This allows organisations to train as many employees as needed on essential compliance and skills development topics at a competitive rate.

Contact us for a free consultation and custom pricing proposal based on your organisation’s requirements.

The Protection of Personal Information Act or POPIA is South Africa’s data privacy law. It sets the rules for how companies gather, use, and share people’s private information. POPIA aims to protect folks’ right to privacy and build trust in the digital world.

For businesses in South Africa, following POPIA is key. It helps avoid getting fined, keeps customers’ trust, and gives companies a competitive edge. 

The Protection of Personal Information Act, or POPIA, is South Africa’s data privacy law. It sets the rules for how companies gather, use, and share people’s personal information. POPIA protects the right to privacy and builds trust in the digital world. 

Companies in South Africa must comply with POPIA. Compliance means that companies keep their customers’ trust, it gives them a competitive edge, and helps them to avoid fines. 

POPIA has eight core rules: responsibility, limiting how info is used, specifying why it’s used, limiting further use, high-quality info, openness, security, and involving people the info is about. Companies must follow these and meet needs like: getting consent, having lawful reasons to use the info, only gathering necessary info, securing info, giving people access to their info, etc.

POPIA has these eight core rules: Accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. 

These rules govern things like getting consent, gathering and using  personal information, securing personal information, and giving people access to their personal information – and much more.

POPIA uses a broad definition of personal information. It refers to any information that can be used to identify someone alive or an existing group. This includes things like: names, contact details, ID numbers, email addresses, biometric data, IP addresses, and even guesses made from other information.

Extra sensitive personal information like religious beliefs, race, political views also gets special protection under POPIA. 

Personal information refers to any information that can be used to identify a living person or an existing business. This includes things like: names, contact details, ID numbers, email addresses, biometric data, IP addresses, and even deductions made from other information. 

Extra sensitive personal information, called special personal information, gets special protection under POPIA. Examples include religious beliefs, race, and political views.

Not complying with POPIA can have serious consequences like:

  • Regulatory fines up to R10 million. 
  • Lawsuits and claims for damages from people whose info was misused.
  • Reputation damage and losing customer trust and loyalty. 
  • Business disruptions from enforcement actions. 
  • Missing opportunities to innovate using personal information.  
  • Competitive disadvantage compared to compliant companies.

Not complying with POPIA can have serious consequences for guilty parties, such as:

  • Regulatory fines of up to R10 million. 
  • Claims for damages.
  • Reputational damage and loss of customer trust and loyalty. 
  • Imprisonment or fines for individuals.
  • Disruptions to company operations.

To comply with POPIA, companies should: appoint dedicated compliance leads, figure out how information flows through the business, review policies, get proper consent from customers, have valid reasons for using people’s information, put good security controls in place, give people access to their information upon request, only keep information as long as necessary, properly train staff, regularly check compliance and do comprehensive impact assessments for high-risk information processing activities. Following POPIA is an ongoing responsibility and requires real commitment to privacy governance. 

Companies can ensure compliance with POPIA by following these steps:

  • Appoint an information officer and register them with the Information Regulator. 
  • Determine how information flows through the company.  
  •  Review company policies on data protection, or develop policies if they are not available. 
  • Ensure that there are valid reasons for using personal information, and get consent when the law requires it.
  •  Only keep personal information if it is required, and give people access to their information if they request it.
  • Put good security controls in place and do comprehensive impact assessments for high-risk processing activities. 
  • Ensure that staff is trained, and regularly check compliance with POPIA.

Remember that compliance is an ongoing responsibility and requires a commitment to good privacy governance.

To protect personal information, companies should classify data sensitivity, encrypt sensitive data, control access, train employees, audit controls, install security tools like firewalls and anti-malware, set strong password policies, back up data, monitor systems, develop incident plans, and stay up-to-date with threats and best practices.

Companies should take reasonable technical and organisational steps to secure personal information. Companies should:

  • Identify internal and external risks to processing personal information.
  •  Establish and implement appropriate measures to protect against these risks (think about encryption of sensitive data, access control, the installation of security tools like firewalls and anti-malware, and backing up important information).
  • Regularly review and update protective measures and train staff on them.
  • Stay up to date with the latest security threats and best practices.

Under POPIA, individuals have rights to be notified about the collection of their personal information, ask for access to and corrections of their data, object to processing and direct marketing, make complaints to regulators, and be notified about serious data breaches. Companies must enable individuals to exercise their rights.

Under POPIA, individuals have the right to 

  • be notified about the collection of their personal information,
  • ask for access to and corrections of their personal information, 
  • object to the processing of their personal information, and 
  • make complaints to regulators, and be notified about serious data breaches. 

Companies must not prevent individuals from exercising their rights.

Companies must: appoint dedicated compliance leads, obtain proper consent from customers when required, have valid and lawful reasons for collecting and using personal information, gather information directly from the people concerned where possible, only retain personal information as long as necessary for the original purpose, keep personal information secure, allow people access to their information and enable corrections upon request, properly train staff, conduct impact assessments for high-risk information processing activities, report serious data breaches to regulators and maintain records to demonstrate compliance with POPIA.

  •  Ensure that there are good reasons for using personal information, and get consent when the law requires it.
  • Only keep personal information if it is required, and give people access to their information if they request it.
  • Put good security controls in place and do comprehensive impact assessments for high-risk processing activities. 
  • Report serious data breaches to the regulators in the right way.

Unlawfully accessing or disclosing someone’s personal information can lead to: legal penalties, lawsuits, criminal charges, business disruptions, damage to reputation, loss of trade secrets and intellectual property. The consequences depend on how sensitive the information is, how many people are affected and whether it was due to negligence or deliberate wrongdoing. 

If the rules of POPIA are not followed, companies may face:

  • Regulatory fines of up to R10 million. 
  • Claims for damages.
  • Reputational damage and loss of customer trust and loyalty. 
  • Disruptions to company operations.
  • Imprisonment or fines for individuals.

To get proper consent, companies must: clearly explain why the information is needed and what it will be used for, inform people of their rights under POPIA, get an obvious confirmation that consent is given through a positive action like ticking a box, allow people to withdraw consent at any time, keep records to prove consent was given, get explicit consent for collecting and using sensitive information and get fresh consent if the purpose for using someone’s information changes significantly. 

Consent must be clearly stated, voluntary, specific and informed. It means that requests for consent must be in plain language, the person must understand what they are giving consent to, and the consent must be actively given (such as ticking a box). 

[Keep in mind that companies should allow people to withdraw their consent at any time, and that fresh consent must be obtained if the purpose of the collection of personal information has changed.(maybe remove, over info?)]

To transfer personal information overseas, companies must ensure there are similar privacy safeguards in place for the destination countries or put binding agreements in place, obtain explicit consent from the people involved for transferring their information abroad, only transfer information for the purpose stated when obtaining consent and keep records of all cross-border data transfers. 

Extra rules apply for transferring sensitive information and children’s personal information across borders.

POPIA only allows for the transfer of personal information outside of South Africa if the other country has adequate legal protection for personal information, or there are binding corporate rules or a binding agreement that provides the right protection.

It can also be transferred if the data subject consents to the transfer, or the transfer is necessary to fulfil a contract.

To properly handle access requests, companies should: designate a contact point for requests, verify individuals’ identities before providing any information, respond within 30 days where possible or communicate timelines for more complex requests, provide information in a format that’s easy to understand, only charge fees for excessive requests, grant requests unless there are lawful grounds for refusal, log and document all requests received, balance access rights with confidentiality by redacting sensitive information where needed, seek guidance for tricky requests and provide the specific access rights afforded to individuals under POPIA.

Data protection officers and compliance leads must: advise the business on privacy compliance, monitor compliance and conduct audits, handle people’s requests to access or correct their personal information, act as a contact point for regulators, help train staff, review the privacy impacts of new initiatives, deal with complaints and data breaches, investigate issues and recommend solutions, and stay up-to-date with regulations, risks and best practices.

For retaining information, companies must: only keep personal information as long as necessary for the original purpose, define clear retention periods in policies, regularly review and update retention schedules, get consent for retaining information indefinitely, have secure procedures in place to delete information that’s no longer needed, keep records of information destruction, consider placing time limits on consent and see if information can be anonymized for longer retention. 

A company should consider the following for data retention:

  • May it retain or archive personal information in terms of POPIA?
  • When it comes to legally archiving personal information, it must have established triggers and procedures for doing so.
  • When information is retained or archived, it must be done correctly and securely.

A company should consider the following for data destruciton:

  • It must not destroy personal information that it must retain.
  • It must destroy personal information correctly – this means it must be done so that the information can’t be reconstructed in an intelligible way.
  • It must destroy the information in a secure manner.

For direct marketing, companies must: obtain explicit consent for marketing purposes, provide easy opt-out methods, register opt-outs to avoid contacting people again, only use information for purposes that match what consent was given for, be careful not to overstep with contact frequency, exercise caution when marketing to vulnerable groups, screen purchased marketing lists against opt-out registers, keep records demonstrating consent and opt-outs, stay up-to-date with laws like anti-spam legislation, only gather and keep information necessary for marketing activities and properly secure such information.

POPIA applies to direct electronic marketing activities and all the POPIA rules apply to the processing of personal information for the purpose of direct electronic marketing. 

Explicit, voluntary and informed consent must be given, and companies have to ensure that:

  •  A record of consent given and withdrawn is kept.
  • The purpose and nature of the marketing does not differ from the type of consent given.

Companies should avoid contacting people too frequently.

For data breaches, companies must: notify regulators promptly about serious breaches, provide details of breaches to regulators, notify affected individuals directly in high-risk cases, give recommendations to mitigate harm for notified individuals, keep internal records of all breaches that occur, consider voluntarily reporting less-serious breaches to build trust, review when regulators and individuals should be notified based on severity and risks, look for signs that encrypted information may have been accessed and report such cases to regulators, and notify regulators where needed for transparency.

POPIA requires that a company notifies

  • the Information Regulator of a security breach as soon as possible, and
  • the person/s whose personal information has/have been compromised as soon as possible.

Take note that a company may delay notification under certain circumstances. Once it is ready to notify the regulator, it MUST use the form provided on the Information Regulator’s website.

To conduct privacy impact assessments, companies should: identify the need for an assessment, determine the scope, describe the personal information and sensitivities involved, identify risks and gaps in controls, assess risks and impacts against POPIA’s requirements, consult stakeholders, develop recommendations to address risks, create implementation plans, do periodic reviews and updates, provide oversight and approval, and keep records of assessments. 

A risk assessment must be done for every processing activity and involve these steps:

  1. Identify the activity that must comply with POPIA
  2. Determine who in a company is involved in the activity
  3. Determine who is responsible for following the POPIA rules 
  4. Assess the difficulty of enforcing compliance
  5. Rate the risk

To develop a POPIA compliance program, companies should: get executive support, appoint dedicated compliance leads, do a privacy maturity assessment, establish a governance committee, map personal information flows to understand processing activities, enhance the incident response plan, review and update policies and notices, train staff, implement additional safeguards where needed, establish monitoring mechanisms, develop guidelines for impact assessments, have procedures to keep the program up to date, consider regulator certification and maintain records demonstrating implementation.

To develop and implement an effective POPIA compliance programme, companies should:

  • Demonstrate commitment to POPIA compliance.
  • Do a risk-assessment.
  • Put policies and procedures in place.
  • Train their employees.
  • Monitor and report on their POPIA responsibilities.
  • Evaluate and improve their compliance programme.

POPIA gives the Information Regulator significant enforcement powers including: conducting audits, issuing compliance notices, imposing large administrative fines, pursuing criminal prosecution, taking civil action in courts, banning non-compliant processing activities, and publicising enforcement actions. Consequences can include punishment under the law, damages, and reputational harm.  

 

POPIA gives the Information Regulator powers to:

  • assess the conduct of companies 
  • to investigate the conduct of companies, and 
  • to punish the conduct of companies.

Non-compliance with POPIA can lead to: Regulatory fines of up to R10 million. 

  • Claims for damages.
  • Reputational damage and loss of customer trust and loyalty. 
  • Imprisonment or fines for individuals.
  • Disruptions to company operations.
Book A Demo
Download Programme Brochure